GlobalSign Blog

16 Mar 2018

Valuable Steps to Make Your Bitcoin Wallet Safe and Secure

Bitcoin is one of the oldest and most widely used peer-to-peer payment systems today whose market cap value at the present moment is much more than other cryptocurrencies. Owing to the extensive popularity, many companies, as well as individuals, have already started integrating Bitcoin as a payment system.

However, there is always a threat looming over the security of digital wallets. Last year we saw multiple ransomware attacks, including WannaCry which attacked several computer systems worldwide using Microsoft Windows and demanded ransom payment in Bitcoin cryptocurrency. Although the transaction process of Bitcoin is based on blockchain technology, making it extremely difficult to hack the information on cryptocurrency, you still need to meticulously secure your Bitcoin wallet.

Let’s first discuss what a Bitcoin wallet is. A Bitcoin wallet is a digital wallet where Bitcoins are stored. Obviously, you cannot store your Bitcoins anywhere as they contain a private key or secret number for every Bitcoin address saved in the wallet. There are different types of Bitcoin wallets, such as a software wallet, online wallet, electronic wallet, hardware wallet or paper wallet. But, before we can discuss the various methods and techniques used to secure Bitcoin wallets, it‘s important to throw some light on the major security concerns and threats.

To begin with, you must be aware of common threats, such as duping the users through fake cryptocurrencies, the illicit phishing method, secretly knowing the confidential lock PIN code of your phone, attempting to steal the cryptographic keys, etc.

The hacker can also hack your Bitcoin wallet by using old password backups. This can be done by creating a recovery program. So, even if the password is changed at frequent intervals, it won’t promise that your wallet is safe.

There is the Sybil attack where the hacker blocks the transactions from all other users as he tries to control the network with nodes. The users can only connect to blocks that are created by the hacker.

The 51% attack usually occurs during the initial stages of developing a Bitcoin wallet app when the attacker has more computing power than the developer.

Other forms of attack include slow down time, vulnerable transactions, Denial-of-Service (DoS) and more.

So, now we know some of the common threats and are aware that even the two way authentication process, the mysterious nature of Bitcoin, and the absence of any third-party are not adequate enough to secure the digital transactions. Let’s look into how you can secure your Bitcoin wallets.

Hardware Wallet Storage or Offline Mode

One of the first steps that you can take to secure your Bitcoin wallet is to use cold storage aka storing the Bitcoin values in a hardware wallet. This is also called the offline method since it does not require a link to the internet. This option is not as prone to hacking.

To tell you more, it’s a kind of physical storage similar to what we see with USB drives. However, it is recommended that you should not store a large amount of cryptocurrency in cold storage; the best way is separating the Bitcoins on two fronts. The first, which is a small amount, can be kept online for trading purposes and the second amount can be stored in the hardware wallet.

If we talk about cold storage wallets, then Trezor or the Ledger Nano S can be cited as examples. However, you need to pay a charge of up to $100 for setting up and getting the PIN number, which is the password used to access the wallet contents. You will also get a recovery seed in case you forget PIN or it malfunctions. But, if you lose both your PIN as well as recovery seed, then you will run into trouble.

Creating Backup(s) of Your Wallet

The experts are in the favor of creating backups to remain on the safe side in case the device or data gets lost. You have to back up your entire Bitcoin wallet to protect it against computer failures and human errors. This would include Bitcoin stored in cold storage and small amount kept for trading purposes. You can recover your stolen wallet if it is encrypted.

You should back up your entire wallet. There are some wallets that contain hidden private keys internally. If you only back up those private keys, and not the whole wallet, you might not be able to recover all of your funds.

It is important to encrypt your backups, as the funds stored online are prone to theft. Even the computer system connected with internet becomes vulnerable, provided it is not properly secured.

It’s not a good idea to use a single location for backing up the Bitcoin wallet data. So, make use of multiple locations so that you can recover your lost data easily.

Regular back up is necessary as it ensures all recent Bitcoin addresses and any new Bitcoin addresses you created are included in the backup. You should do this in case of any hardware crash or if have to go for computer formatting.

Encrypting the Bitcoin Wallet

Encrypting your Bitcoin wallet adds an extra layer of security. The wallet can be encrypted by using a passphrase. The passphrase allows you to lock your coins and it becomes difficult for the hacker to take anything unless he knows your passphrase.

If you are using a mobile device or a laptop to conduct the Bitcoin transaction, then encrypting your wallet becomes all the more necessary as you are connected to the internet.

Strong Password

You should already know this well, but just in case you don’t, the password should be very strong. Include everything from caps to numbers and special characters. Don’t store it anywhere.

Don’t Forget Your Password

Never forget your password or else it will be very difficult to get back your lost fund. Bitcoin offers very few chances of password recovery. So, memorize it.

Updating the Software on Regular Basis

Software updates are one of the most common security measures out there. You must use the latest version of the Bitcoin software irrespective of whichever software you are using. The updated software will keep informed about the latest security fixes. It will also safeguard your wallet features. If your Bitcoin wallet is not updated, then you can easily become the prime targets for the attackers and the phishers.

In addition, it is also equally important to keep your devices up-to-date in which you have stored all the vital data. So, make sure you opt for its servicing too.

Opting for Multi-Signature

Multi-Signature is one of the essential steps that will help ensure that your Bitcoin wallet is safe and secure. Now, what is it? Well, it is a process in which a particular transaction has to get an approval from, for example, no less than three to five individuals.

Any organization can give permission to access its Bitcoin wallet, but the withdrawal of funds can be done under only one condition that the transaction is signed by 3 to 5 people. The Bitcoin wallet uses the multi-signature facility allowing user to take control over his money and preventing from thefts.

Two Factor Authentication Process

One of the techniques to secure a Bitcoin wallet is two-factor authentication (2FA). This process is considered optimum because it requires two pieces of information before it grants access to the wallet. This means, even if someone were to guess or obtain your password, they would still not be able to access your wallet without the other factor.

You have a couple of options for setting up 2FA for your wallet. One is Google Authentication, which uses a six digit number that keeps changing every minute but is always known to you. Another option uses biometrics, which have become very popular. Here you have to give your fingerprint. You can follow any one of the options, whichever is convenient for you. It’s worth noting that not all wallets offer 2FA.

Some Other Methods to Follow

You should follow a number of methods to secure your Bitcoin wallet. Here’s a good checklist:

Open websites and emails very carefully. A number of phishing emails are sent through Google Ads and this is becoming common these days. Make sure that the emails contain proper addresses and have correct domain names. It is advisable to use a non-public email for carrying out crypto transactions. Also, be cautious while using Wi-Fi (especially public Wi-Fi) when connecting to the internet.

Turn off automatic updates that are related to your Bitcoin wallet so that the software does not get updated on its own without your permission. If you fail to do that, your system can get affected with bugs and this would literally mean that you will lose all your vital data. You can wait for a couple of days after the update is released to check if a bug is present or not.

Check if there is any SSL security mark in the address window of your web browser. This is a security sign that indicates that your browser is encrypted. The website should always begin with HTTPS.

Check the address of the sender twice or even thrice before sending him the payment. An attacker can attack on the address and use the copy paste option to send the money to a different address. The best possible option is first sending a very small amount and once it gets verified, then send the larger amount.

Conclusion

We all know that the attackers today have become very smart and technologically intelligent. With its rise in popularity, there have been a number of incidents involving theft of Bitcoin. We can cite some major incidents here.

So, we need to stay alert and always keep the system and software updated. The storage of Bitcoin values, creating a backup and data encryption are all essential in this regard.

About the Author

Mehul Rajput is an entrepreneur and CEO of Mindinventory, a Blockchain development company. He does blogging as hobby and love to write on mobile technologies, startup, entrepreneur and app development.

Note: This blog article was written by a guest contributor for the purpose of offering a wider variety of content for our readers. The opinions expressed in this guest author article are solely those of the contributor and do not necessarily reflect those of GlobalSign

GlobalSign respects your right to privacy. This privacy policy has been developed to inform you about the privacy practices followed by GlobalSign in connection with its websites, products and services. This privacy policy does not apply to GlobalSign services offered by or through our partners, resellers or other third parties, or other third party services or websites, and we encourage you to read the privacy policies of those parties.

This privacy policy will inform you about what data is collected, how we use such data, where data is processed, how you may opt out of your data being used, the security provisions around storing your data and how to correct, update or delete your data.

1. Data Controller

The data controller for personal data collected within the EU is GMO GlobalSign, Ltd., having its registered offices at Springfield House, Sandling Road, Maidstone, Kent, ME14 2LP, United Kingdom. All questions or requests regarding the processing of data may be addressed to: dpo@globalsign.com.

2. Collection of Personal Information

We collect information from you when you (i) place an order for a GlobalSign digital certificate product or other product or service, (ii) scan your servers for digital certificates using our Certificate Inventory Tool (CIT), (iii) apply for access to our managed service platforms, (iv) subscribe to our newsletter, (v) use our online chat service, (vi) download a white paper, (vii) register for a webinar, (viii) respond to a survey, (ix) fill out a form for pre/post sales assistance, (x) open a support ticket, or (xi) your use of social media.

GlobalSign is a Certification Authority and trusted third party. To fulfill requests for digital certificates or other products or services, you may be asked to enter your name, email address, physical address, phone number, credit card information and/or organizational details or other personal information.

- Relationship information that helps us do business with you, such as the types of products and services that may interest you, contact and product preferences, languages, marketing preferences and demographic data.

- Transactional information about how you interact with us, including purchases, inquiries, customer account information, billing and credit card information, organizational details, transaction and correspondence history, and information about how you use and interact with our website.

We may develop and acquire additional information about you using third-party (public and private) data sources such as third party databases and government agencies, as well as your browsing and purchasing history in order to process orders for certificates and to improve our services.

GlobalSign treats personal information as confidential, except for the information included in an issued digital certificate. Such information may be verified using third party commercial and government resources, and as such, is deemed to be public information.

3. Purpose of Processing

Your personal data will be used for the purposes specified below:

3.1 To process applications for GlobalSign products and services

Your information is used to provide our products and services and order processing as well as to conduct business transactions such as billing.

The email address you provide for order processing may be used to send you renewal notices for your expiring digital certificate.

3.4 To send service updates

In addition, subject to your consent where required, we may send you new service updates, security updates, related product or service information, and status updates on maintenance windows or service availability.

3.5 To tell you about our products and services

Subject to your consent where required, we may send you periodic company newsletters, information about our products and services that may be of interest to you based on your use of other GlobalSign products and services, your attendance at GlobalSign sponsored marketing events such as webinars, your requests for information about similar products and services, or your sharing of data with social media sites such as LinkedIn or Facebook.

4. Legal Basis for Processing Personal Data

We will process your data for the purpose of performance of our contract with you or the legitimate interest of GlobalSign, which are our usual business activities. In other cases, we will request your consent for the processing of the personal data you may submit.

Your refusal to provide personal data to us for certain products and services may hinder us from fulfilling your order for those products or services. Also, if you deny or withdraw your consent to use personal data or opt out of receiving information about GlobalSign products and services this may result in you not being made aware of renewal notices, periodic company newsletters, new service updates, security updates, related product or service information, and status updates on maintenance windows or service availability. See Section 10 below for how to withdraw your consent.

5. Use of Cookies and web beacons

The GlobalSign Certificate Center (GCC) uses cookies to enable the fulfillment of services. Cookies may be used when you log into the GCC, purchase products or use certain GCC functions.

In addition, like most online businesses, GlobalSign uses cookies and web beacons on our websites and through marketing related emails to gather and analyze some personal data such as the visitor's IP address, browser type, ISP, referring page, operating system, date/time and basic geographical information.

We use cookies and web beacons to compile aggregate data about site traffic and site interaction so that we can gauge the effectiveness of our communications and offer better site experiences and tools in the future. We may contract with third-party service providers to assist us in better understanding our site visitors. These service providers are not permitted to use the information collected on our behalf except to help us conduct and improve our business.

First time visitors may choose to not have any activity monitoring cookies set in their browser. We use an opt-out identification cookie to tag these users as having made this decision. Those cookies that pertain to site performance, experience improvement and marketing are programmed not to execute when an opt-out cookie is present in a visitor's browser. Opt-out cookies persist until a visitor clears their browser cookies, or until their expiration one year after the set date. A visitor is required to opt out again after one year in order to disable any activity monitoring cookies.

6. Use of application logs for diagnostics or to gather statistical information

Our servers automatically record information ("Application Log Data") created by your use of our services. Application Log Data may include information such as your IP address, browser type, operating system, the referring web page, pages visited, location, your mobile carrier, device and application IDs, search terms, and cookie information. We use this information to diagnose and improve our services. Except as stated in section 8 (Data Retention), we will either delete the Application Log Data or remove any account identifiers, such as your username, full IP address, or email address, after 12 months.

7. Sharing of Information and Transfers of Data

We do not sell or trade your personal information to outside parties.

Within GlobalSign: GlobalSign is a global organization with business processes and technical systems in various countries. As such, we may share information about you within our group company and transfer it to countries in the world where we do business in connection with the uses identified in section 3 above and in accordance with this Privacy Policy. In cases where your personal data is transferred to countries that do not provide an adequate level of protection according to the European Commission ('adequacy decision'), we ensure your data is protected by entering into agreements containing standard contractual clauses approved by the European Commission with each of our group companies. A copy of these agreements may be obtained by contacting us as outlined in section 15 below.

Third Parties: We may also transfer your personal data to trusted third parties and our partners in order to serve purposes that are specified in section 3 above. GlobalSign uses a third party to process credit card payments and provides credit card numbers and identifying financial data directly to the third party credit card processor.

In circumstances where data is shared with such third parties, they are required to comply with confidentiality terms included in our data processing agreements. This prohibits such third parties from selling, trading, using, marketing or otherwise distributing GlobalSign customer data.

As Required by Law: We may also release your information when we believe release is appropriate to comply with the law or protect our rights, property, or safety.

It is our policy to notify customers of requests for their data from law enforcement unless we are prohibited from doing so by statute or court order. Law enforcement officials who believe that notification would jeopardize an investigation should obtain an appropriate court order or other process that specifically precludes member notification, such as an order issued pursuant to 18 U.S.C. §2705(b).

Mergers & Acquisitions: We may also disclose your personal information to third parties who may take over the operation of our site or who may purchase any or all of our assets, including your personal information. We will contact you using the details you provide if there is any change in the person controlling your information.

8. International Transfers

The third parties, subsidiaries and affiliates to which your personal information can be disclosed may be located throughout the world. Therefore, information may be sent to countries having different privacy protection standards than your country of residence. In such cases, we take measures to ensure that your personal information receives an adequate level of protection, which includes the EU Standard Contractual Clauses to protect your personal information.

9. Data retention

The personal information we collect is retained for no longer than necessary to fulfil the stated purposes in section 2 above or for a period specifically required by law or regulation that GlobalSign is obligated to follow.

To meet public CA audit requirements as detailed in the GlobalSign Certification Practice Statement, personal data used to fulfill verification of certain types of digital certificate applications will be retained for a minimum of 10 years depending on the class of product or service and may be retained in either a physical or electronic format. Please refer to the GlobalSign Certification Practice Statement for full details.

After the retention period is over, GlobalSign securely disposes or anonymizes your personal information in order to prevent loss, theft, misuse, or unauthorized access.

10. Opting out; withdrawing consent

If at any time you would like to unsubscribe from receiving future emails, we include unsubscribe instructions at the bottom of each email.

Renewal notices may be cancelled on a per digital certificate basis by logging into your GlobalSign Certificate Center (GCC) account and disabling renewal notices.

Email preferences for CIT related/collected information can be updated and changed within CIT.

You are responsible for providing GlobalSign with true, accurate, current and complete personal information. Also, you are responsible to maintain and promptly update the information to keep it true, accurate, current and complete.

You have the right to access and modify your personal data stored on GlobalSign systems. You can exercise your rights by contacting us in writing. We will require you to provide identification in order to verify the authenticity as the data subject. We will make reasonable efforts to respond to and process your request as required by law.

To the extent of applicable law, you may have the right to request erasure of your personal information, restriction of processing as it applies to you, object to processing and the right to data portability. You may also have the right to lodge a complaint with a supervisory authority.

If you provide any information that is untrue, inaccurate, not current or incomplete, or if we have reasonable grounds to suspect that such information is untrue, inaccurate, not current or incomplete, we have the right to suspend or terminate your account and refuse any and all current or future services.

12. How we protect your information

We implement a variety of security measures to maintain the safety of your personal information when you place an order or enter, submit, or access your personal information. All supplied sensitive/credit information is transmitted via Secure Socket Layer (SSL).

After a transaction, your transaction-related information will be kept on file to meet audit requirements and facilitate renewals. We do not retain any credit card details.

13. Relevant laws

GlobalSign commits itself to protect the personal information submitted by applicants and subscribers for its public certification services. GlobalSign declares to fully respect all rights established and laid out in European Union and Member States' laws and regulations:

- European Directive 95/46 on the protection of individuals with regard to the processing of personal data and on the free movement of such data and as replaced by Regulation EU 2016/679 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (the EU General Data Protection Regulation); and

- Provisions of the GlobalSign CPS.

14. Changes to our Privacy Policy

If we make material changes to our privacy policy, we will inform customers by emailing a notice of the availability of a new version with a link to the new version.

15. Contact Us

If you have any inquires, or questions regarding our privacy policy, please contact us at:

We use the data you submit only for purposes identified in section 3 of this privacy policy.

You have the right to review your personal data that GlobalSign holds and check it for accuracy.

You have the right to correct data in the case that errors may be found in our records.

You have the right to request that any of your personal data be erased. i.e. right to be forgotten.

You have the right to obtain and reuse use your personal data for your own purposes

You have the right to request that GlobalSign restrict the processing of your personal data under certain circumstances.

You have the right to object to our processing of your personal data.

14. Changes to our Privacy Policy

If we make material changes to our privacy policy, we will inform customers by emailing a notice of the availability of a new version with a link to the new version.

15. Contact Us

If you have any inquires, or questions regarding our privacy policy, please contact us at:

Contact

Follow Us

GlobalSign is the leading provider of trusted identity and security solutions enabling businesses, large enterprises, cloud service providers and IoT innovators around the world to secure online communications, manage millions of verified digital identities and automate authentication and encryption. Its high-scale Public Key Infrastructure (PKI) and identity solutions support the billions of services, devices, people and things comprising the Internet of Everything (IoE).